The present invention relates generally to a file security management apparatus and method which protect various types of systems for executing files, entering from the outside, from malicious code, and which prevent data from being divulged from the systems and also prevent the systems from operating erroneously, thereby ultimately protecting the systems.
With the development of data processing systems, such as computers, mobile terminals or the like, which operate and manage various types of data, and with the development of communication networks, such as the Internet, which mediate intercommunication, massive amounts of data are being handled via data processing systems.
Such data include information harmful to users as well as information beneficial to users. Examples of information harmful to users may include malicious code, such as a computer virus, spy-ware, ad-ware, etc. The malicious code may cause serious damage to a data processing system that is used by a plurality of specified or unspecified users, may cause a user to perform an undesirable operation, or may divulge the private information of a user and thus cause economic damage to the corresponding user. Accordingly, attempts have been continuously made to monitor and block such malicious code.
Conventionally and generally, to search for malicious code, the patterns of malicious code are stored in a database (DB) in advance, and then it is monitored whether a file having any one of the corresponding patterns is present at a specific location of a designated data processing system or network.
However, the conventional method is problematic in that the degree of security for invested time and resources is low because stored files are randomly selected and compared with the patterns stored in the DB. Furthermore, the conventional method is limited in that a conventional security apparatus cannot monitor malicious code that is not activated or is not malicious code itself at a specific time and then initiates a malicious function when processing is performed or a specific time is reached because the degree of security of a corresponding file is randomly monitored only at the time at which the conventional security apparatus operates, regardless of the execution of a file. Furthermore, the conventional method is also limited in that execution may have been completed before the inspection of a file because inspection is performed after an inspection target file has entered a system. That is, in the case where an inspection target file is a file infected with malicious code, a problem is incurred by the malicious code, although the corresponding system is equipped with the security apparatus based on the conventional method.
In order to overcome these problems, a method was proposed in which a conventional security apparatus inspected all files present in a data processing system or at specific locations at regular intervals. However, this method is problematic in that the conventional security apparatus needs to have high-level specifications in order to perform precise file monitoring because the number of security target files that need to be monitored by the conventional security apparatus is potentially massive, depending on the size of the data processing system or the number of specific locations, and the number of times monitoring is performed increases as the inspection interval decreases. Furthermore, this method is limited in that the problem in which an inspection target file may have entered the system and may have been executed is still not solved.